Rivest Shamir Adleman, aka “The (in)Solitude of Prime Numbers”

During the last weekend I’ve got back to the good old times, with the Zeromutarts CTF, a challenge organised by the Technische Universität of Braunschweig, Germany.

I’ve found tho choice of the challenges very well made: some of them were easy, some others a little more tricky.
It has been a lot of fun, anyway, going through all of them.

wWat I’m sharing, here, is the solution of one of these challenges, called “rivest-shamir-adleman” – obviously concerning RSA encryption – which helped me to revise some interesting notions about maths applied in cryptography, (numbers are sexy!).

The challenge

The challenge was about decrypting this message, and catching the flag contained on it. of course, the encryption is made with a low exponent, and this makes possible to attack it easily.

In the python script attached to this challenge, the guys provide us with the elements we know

N = 80646413 e = 5

while d is unknown; this means – to summarize – that we only have a part of the public key, and we need to find the private one.
The python code attached, conveniently completed, will find the solution.

Let’s take a look to the arithmetic functions which are hiding behind that

solution 1

Finding private exponent by using Euler’s totient and Extended Euclidean algorithm.
We know that the modulus N is given by

N = p*q (where p and q are two prime numbers)

so

N = p*q = 80646413

let’s compute now the Euler’s totient of N, which is

φ(80646413) = 80628348

e is known being 5, the algorithm of RSA tells that d is e-times the modular multiplicative inverse of N

d = e (mod φ(N))

which is

d = 5 (mod φ(80646413)) = 5 (mod 80628348)

we can calculate the modular multiplicative inverse with the Extended Euclidean algorithm, (which, for instance, you can even find in the python code)

By factorizing each of these candidates, we’ll need to find all of those which accept 5, (e), as divisor: one of the good ones, divided by 5, will give you the value of d.

K = 1451310265 has these prime factors: 5*307*945479 = 5*290262053

d = 290262053

catch the flag :>

Now that we know even the private exponent of the encryption, we can use any RSA calculator online, (like this one by the Drexel University), and we can easily decrypt the message. the flag needed to solve the challenge was